1235291 - DLLs in download folder security hole

Status: UNCONFIRMED

(Core :: Security, defect)

Description

[Max Polk]

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

Once a DLL from one site is downloaded to the "Downloads" folder, any executable downloaded from any other site afterwards, and then run, has a chance to be hijacked, due to Windows discovering DLLs in the same directory as an executable.

By reusing the same directory all the time for downloads, accumulated DLLs introduce a serious attack vector, which all browsers including Mozilla keeps wide open.  Reusing a single "Downloads" folder to accumulate all things downloaded ends up being a bad tradition on Windows, and this bug is opened seeking to close it.


Actual results:

This explains a step-by-step procedure to reproduce the problem http://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/


Expected results:

Somehow each download should be in a separate folder, perhaps a subdirectory of the "Downloads" folder.  Then, executables from one site won't accidentally be hijacked by DLLs from another site.

Comment 1

[Eric Lawrence]

While Firefox users can be attacked via this method, Firefox requires user confirmation of every DLL download and does not permit the user to opt out of that prompt. As a consequence, Firefox users are considerably less susceptible to attack than Chrome and Edge users. 

Notably, however, there is the possibility of a blended attack, wherein Chrome or Edge drops a DLL and that DLL is later used by an executable that Firefox downloaded.